Vista virus trojan-clicker.win32.small.kj [Solved/Closed]

Report
-
Posts
47398
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 27, 2020
-
Hello,
I just started getting all kinds of Vista Security - Unregistered Version messages. Pop ups say I have all kinds of viruses but Norton says I'm protected. The Vista Security panel (that is also a pop up) says I need to activate my copy and pay a fee to get full time protection. One of the files is:" trojan-clicker.win32.small.kj This looks like another scam. I cannot access the internet with the infected computer but have another computer available to download/save programs and files if needed. I would appreciate help.

4 replies

Posts
47398
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 27, 2020
9,439
Kanna,

Please follow the following procedure carefully and to the letter.

You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning.

You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever.

To kill the processes:

1. Download to your desktop and run Rogue Kill:

https://download.bleepingcomputer.com/grinler/rkill.com

2. You should now see a window that shows all of your desktop icons, including the rkill.com program.

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.

As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))

Please, DO NOT REBOOT your computer or the processes will come back to haunt you!

Download to your desktop Malwarebyte.

https://ccm.net/download/download-105-malwarebytes

Once on your desktop, we must still outwit the virus.

Right click on the MBAM icon and click on rename. Rename it kioskea.exe.

Install Malwarebyte and launch it. From the second tab, update it.

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.
2
Thank you

A few words of thanks would be greatly appreciated. Add comment

CCM 2942 users have said thank you to us this month

Hi I have the same problem... But I have Vista... I can't kind the Security Tool process at all.... My home computer is the one with the virus, so I am on my laptop, which is also vista and even on this one I cannot find it. I went through with the anti-malware program you provided and discovered a lot of things on my computer... and deleted them but the main virus is still there... :/ Idk what to do and am seriously worried about the life of my computer. If you could help me at all, it would be very much appreciated.
Posts
2
Registration date
Tuesday March 23, 2010
Status
Member
Last seen
March 23, 2010

I recently had the same problem and someone told me to download Malwarebytes Anti-Virus, the link is here https://download.cnet.com/Malwarebytes/3000-8022_4-10804572.html

I would advise you to do a FULL scan with your Norton before you go on the internet and I would put money on it that it won't pick anything up. It worked perfect for me and my ESET Smart Security quarantined it for deletion.

Don't forget to un-install it because Norton on Vista sometimes doesn't like another anti-virus and it MAY slow your computer down, but it might not be the case with yours

Hope this helps
Posts
47398
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 27, 2020
9,439
Hello Angry

Here is something to put you in much better mood.

It is not a Trojan klicker but a Rogue Trojan Horse and it is a scam.

You say you cannot access Internet, please first verify your Internet option tools to ensure the "Use a proxy server" is not checked, if so uncheck it.

Here comes the crunch:

Vista Security is getting to be an epidemic. Some people have lost their internet connection and all of their desktop. I understand your despair.

The evil application is self protective and will prevent running antimalware tools including Hyjackthis which is a rather simple tool.

Here are multiple suggestions for in the beginning we can try to fool this rogue Trojan.

This very efficient solution was provided by xpcman one of our moderators and security expert, so it has to work

We must first end the security tool process:

1. Download Process Explorer and save it in C:\ folder.
Download link: http://live.sysinternals.com/procexp.exe

2. Rename procexp.exe to explorer.exe and double-click to run it.
3. Select Security Tool process from the list. Should be 4946550101.exe, vista security, psecurity or similar, you can't miss it. Press "Delete" button to end the process.
4. Close Process Explorer.

Do not reboot your computer for the process will be resurrected and come back to haunt your system.


5. Re download MalwareBytes anti-malware:
https://ccm.net/download/download-105-malwarebytes

6. Rename mbam-setup.exe to explorer.exe and double-click to run it. Install, update and run MalwareBytes anti-malware. Then perform a FULL computer scan and remove all found infections.

That should do it.

7. Once your computer is clean and working normally just to be on the safe side
*Turn off system restore and wait 30 seconds,
*Turn it back on and create a new restore point.

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.

8. Give me some feedback as to your mood temperature, please.

Regards
Posts
47398
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 27, 2020
9,439
Brownie,

No, no your are not going to key all of that, your keyboard will go up in flames.

Yet, I can't identify the malware and tell you where it is and your system is paralysed. So to quote some despotic antivirus leaders, the end justifies the means.

So here is a solution, a potent poison, sort of a gas chamber for all viruses.

To keep your system safe, you must follow the instructions hereunder to the letter:

1. Download Combofix to your desktop.

http://www.combofix.org/download.php

2.Close all open Windows including this one.

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

3. Double click on the ComboFix icon.

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.

4. Accept the disclaimer and the recovery

5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.

ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings.

If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

While Combofix is running, please do not mouse click or keyboard tap.

Once you are done, paste the log here and report to me on how your system is behaving.

Good luck

Ambucias
Hay Ambucias, look at me go!!!!!!!!!!!!! I will report to you shortly as to how the system is behaving. Thanks again.

ComboFix 10-04-21.01 - HP_Administrator 04/22/2010 15:35:12.1.2 - x86
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\03Q1fc.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\0580N4N5p.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\4Qp5cL.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\7Gy2Vi2g.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\87pejE8.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\b32b3bS4.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\Gsu5e.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\IQfx4H.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\j14EP.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\L78eo7G6P.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\LVpOqLYn.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\Mi865Kf.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\mUUNOQCV1.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\nk8770.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\od731.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\oyg7enw8e.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\U4V32uw5q.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\uHu7pC.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\wFls3s.jpg
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\XJcu24Nq.jpg
c:\recycler\NPROTECT
c:\recycler\S-1-5-21-2180732656-494989104-917352227-1008
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-22 19:36 . 2010-04-22 19:36 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-04-22 19:18 . 2010-04-22 19:18 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2010-04-21 23:03 . 2010-04-21 23:03 388096 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-21 23:03 . 2010-04-21 23:03 -------- d-----w- c:\program files\TrendMicro
2010-04-21 21:03 . 2010-04-21 21:03 388096 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-21 21:03 . 2010-04-21 21:03 -------- d-----w- c:\program files\Trend Micro
2010-04-21 21:03 . 2010-04-21 23:03 1401344 ----a-w- C:\HiJackThis.msi
2010-04-20 23:10 . 2010-04-20 23:10 363520 ----a-w- C:\rkill.com
2010-04-20 18:16 . 2010-04-20 18:16 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Eastman_Kodak_Company
2010-04-20 18:12 . 2001-08-18 03:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-04-20 18:12 . 2001-08-18 03:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-04-20 18:10 . 2010-04-20 18:10 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\KODAK
2010-04-20 18:08 . 2010-04-20 18:08 -------- d-----w- c:\program files\Bonjour
2010-04-20 18:06 . 2010-04-22 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-04-20 18:04 . 2010-04-20 18:06 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Temp
2010-04-19 01:36 . 2010-04-19 01:36 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-04-19 01:36 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-19 01:36 . 2010-04-20 23:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-19 01:36 . 2010-04-19 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-19 01:36 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-12 17:48 . 2010-04-12 17:48 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sammsoft
2010-04-12 17:46 . 2010-04-12 22:38 -------- d-----w- c:\program files\Advanced Registry Optimizer
2010-04-12 17:31 . 2010-04-12 17:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-06 17:46 . 2010-04-06 17:48 21180296 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901cupd.exe
2010-04-05 20:30 . 2010-04-05 20:30 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-05 19:47 . 2010-04-05 20:15 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-05 19:47 . 2010-04-05 20:15 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-05 19:47 . 2010-04-05 20:30 466976 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-05 19:47 . 2010-04-05 20:30 2064416 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-05 19:47 . 2010-04-05 19:47 -------- d-----w- c:\program files\Kaspersky Lab
2010-04-05 19:47 . 2010-04-05 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-05 19:38 . 2010-04-05 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-22 17:27 . 2006-01-02 19:03 3846 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2010-04-20 18:09 . 2010-04-20 18:08 -------- d-----w- c:\program files\Kodak
2010-04-12 22:39 . 2007-09-19 18:27 -------- d-----w- c:\program files\Norton Security Scan
2010-04-05 20:30 . 2010-04-05 19:47 2676 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-05 20:30 . 2010-04-05 19:47 17208 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-05 19:44 . 2009-02-15 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-10 06:15 . 2004-08-10 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-28 14:50 . 2010-02-28 14:50 19485640 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US64016501cupd.exe
2010-02-25 06:24 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-10 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2004-08-10 19:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-10 19:00 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-13 16:09 . 2010-02-13 16:09 18203568 -c--a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US60016401cupd.exe
2010-02-12 04:33 . 2004-08-10 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-10 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-10 16:58 . 2010-02-10 16:55 16820888 -c--a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026001cupd.exe
2010-01-27 13:15 . 2010-01-27 13:15 348160 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-54102e73-n\msvcr71.dll
2010-01-27 13:15 . 2010-01-27 13:15 503808 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-54102e73-n\msvcp71.dll
2010-01-27 13:15 . 2010-01-27 13:15 61440 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3faf2936-n\decora-sse.dll
2010-01-27 13:15 . 2010-01-27 13:15 499712 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-54102e73-n\jmc.dll
2010-01-27 13:15 . 2010-01-27 13:15 12800 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3faf2936-n\decora-d3d.dll
2006-08-02 20:03 . 2006-08-02 18:03 22 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 68856]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2009-12-28 2137600]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-12 249856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-08 180269]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"HPAIO_PrintFolderMgr"="c:\windows\System32\spool\DRIVERS\W32X86\hpoopm07.exe" [2000-08-15 61440]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0316.3\mswinext.exe" [2009-09-28 240976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-03 1626112]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 135664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [x]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2009-08-05 284016]

.
Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 06:49]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 06:49]

2010-04-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]

2010-04-22 c:\windows\Tasks\User_Feed_Synchronization-{ADC48543-A962-41F5-8B50-B6B85D164B21}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ww2.cox.com/myconnection/gulfcoast/home.cox
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-22 15:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3068)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\ARPWRMSG.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\palmOne\Hotsync.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Updates from HP\9972322\Program\Updates from HP.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\DISC\DiscStreamHub.exe
.
**************************************************************************
.
Completion time: 2010-04-22 15:47:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-22 20:47

Pre-Run: 216,449,818,624 bytes free
Post-Run: 218,372,718,592 bytes free

- - End Of File - - 6F5688A7DE2656DB8338127215ABA356
My computer is working beautifully! I can finally get my life back together. I don't know how to express how thankful I am to you. But thank you, thank you, thank you!
Posts
47398
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
November 27, 2020
9,439
I know how,

Turn off you your system restore for about 45 seconds, turn it back on and then create a new restore point, you will always have that point to return to in case of need. You can name that point after me.

It was a pleasure to help and you heard if first at Kioskea.

God bless America...and Canada
You got it!!!!!!!!!!!!!!!!!!!!!!!

Subscribe To Our Newsletter!

The Best of CCM in Your Inbox

Subscribe To Our Newsletter!